Millions of DropBox Customers Hacked

The bad news is that apparently, up to 7 million individual Dropbox customers were. Why? Because those 7 million Dropbox users ignored (or simply didn't know) the important online safety rule “Never use the same password across multiple accounts.”

Yesterday, Anton Mityagin writing on the official Dropbox Blog announced that:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.

StubHub redux

It's basically a much larger-scale version of the StubHub non-hacking from last July: over a thousand StubHub accounts were compromised and used to fraudulently buy tickets, though StubHub's own database was never breached. The hackers had broken into and stolen passwords from various other websites, discussion forums and password-protected online places, and discovered that at least some of those stolen passwords worked in the victims' StubHub accounts, too.

It does appear that when hackers successfully steal the password to one of your accounts, they'll try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers last summer were concerned, it did. And it may have worked for up to 7 million Dropbox customers as well.

Something similar happened with Gmail last month: initial reports said that Russian hackers had stolen 5 million Gmail passwords, though it turned out that the passwords were stolen not from Gmail itself, but from various registration-required sites where people used a Gmail account to register.

So the Dropbox “hacking” appears similar to that earlier “hackings” of Gmail and StubHub: the only Dropbox users who need worry about it are those who still follow the dangerous habit of using the same password across multiple online accounts.

If you have two or more online accounts with the same password, even if none of those accounts are with Dropbox, you need to change the password for every such account you have.